[Zope] assignment to form records
Dylan Reinhardt
zope@dylanreinhardt.com
Mon, 10 Mar 2003 00:31:34 -0800
At 10:34 PM 3/9/2003, Edward Muller wrote:
>All that things like :record and :records do (after reading various
>docs) is pass a variable names items with the following attributes
>.desc, .item, .qty. What you do with that variable is then up to you.
Indeed.
>I don't see how using this functionality is in any way a security hole.
By itself, it's probably not. But it facilitates insecure coding habits.
I already suspect that poor validation is rampant in Zope. One of the
classic questions that pops up here from time to time is how you're
supposed to capture the "off" value of checkboxes when you only get
information on the ones that are checked. This question betrays a deep,
dark secret lurking in many web apps: many developers have no idea what
fields to expect nor what rules their data can be validated against.
Relying on the client to pass along special type & structure codes suggests
a similarly high level of uncertainty as to what data is expected and what
rules it should be validated against. It's not the feature itself, but the
avoidance of validation that gives me concern.
But every application has its own requirements and its own
environment. Each of us needs to determine what level of paranoia is
justified by the specific requirements of each system.
Dylan